Xeno Kovah

@XenoKovah

Interested in reverse engineering, stealth malware, BIOS, UEFI, trusted computing, and training. Founder of . Now at Apple.

legbacore.com/Research.html
Vrijeme pridruživanja: veljača 2014.
81 fotografija ili videozapis Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @XenoKovah

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @XenoKovah

  1. proslijedio/la je Tweet
    26. sij

    I don't think FM work for such complex systems as Intel CSME. Starting from Intel-SA-00086 there were found many bugs in CSME firmware. I think in 2012 you were working just on CSME 11.x. Why those trivial buffer overflow bugs were not found?

    Around 2012 my colleagues and I worked on Intel ME We were bug hunters We read the code Line by line For months 1 team of many Want to tell me formal methods are too expensive? I've done code reviews I've done FM It's time to talk about it
    2 proslijeđena tweeta 13 korisnika označava da im se sviđa
    Poništi
  2. proslijedio/la je Tweet
    21. sij

    Untrusted Roots: exploiting vulnerabilities in Intel ACMs by

    1 reply 12 proslijeđenih tweetova 47 korisnika označava da im se sviđa
    Poništi
  3. 17. sij

    Can folks point me at the earliest examples of exploit-technique papers/presentations I could cite where type confusion vulnerabilities are described as "type confusion" rather than UAF for instance? I see the term gain popularity ~2010 so it'd probably be then or earlier

    5 replies 5 proslijeđenih tweetova 18 korisnika označava da im se sviđa
    Poništi
  4. 29. pro 2019.

    So when did @_embedi_ disappear? Their website/twitter account was still up when I last posted a timeline update in Oct. Sanctions officially killed them? (aka presumably just reorganizing under another name?)

    3 proslijeđena tweeta 14 korisnika označava da im se sviđa
    Poništi
  5. proslijedio/la je Tweet
    19. pro 2019.

    A new set of "Mac firmware security" pages are finally out, thanks to . Check it out, it's what me and my teammates at Apple had beet working on really damn hard for the last several years.

    1 reply 93 proslijeđena tweeta 221 korisnik označava da mu se sviđa
    Poništi
  6. proslijedio/la je Tweet
    19. pro 2019.

    Now live! 🔺The new Apple Security Bounty! 🔺The new Apple Platform Security guide, featuring Mac for the first time! (PDF version: ) 🔺My Black Hat 2019 talk: Happy holidays! 🎄

    12 replies 352 proslijeđena tweeta 837 korisnika označava da im se sviđa
    Poništi
  7. proslijedio/la je Tweet
    12. pro 2019.

    Our talk recording "Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller" is up! EC issue we found has a bigger impact from what we expected in the beginning

    29 proslijeđenih tweetova 78 korisnika označava da im se sviđa
    Poništi
  8. proslijedio/la je Tweet
    12. pro 2019.

    If you’ve got a security-sensitive codebase, you should be using -ftrivial-auto-init=pattern in Clang. In 2020, there’s no good reason for uninitialized variables to be exploitable.

    Mitigating Undefined Behavior 🔒 💥 🔒 My talk on automatic variable initialization at the developer meeting is now online!
    1 reply 16 proslijeđenih tweetova 48 korisnika označava da im se sviđa
    Poništi
  9. proslijedio/la je Tweet
    12. pro 2019.

    My slides on Insecure Boot are now available here:

    25 proslijeđenih tweetova 49 korisnika označava da im se sviđa
    Poništi
  10. 12. pro 2019.

    Video released:

    Check it out for more about the first-in-the-world work & Rafal Wojtczuk have done for UEFI DMA protection and UEFI sandboxing of PCIe Option ROMs
    Prikaži ovu nit
    1 reply 10 proslijeđenih tweetova 36 korisnika označava da im se sviđa
    Poništi
  11. proslijedio/la je Tweet
    10. pro 2019.

    My team has been working a lot with TPM hardware lately and found some pretty critical issues with the spec. Here's our 90-day disclosure of a vulnerability report we sent to . "Verifying TPM Boot Events and Untrusted Metadata"

    64 proslijeđena tweeta 135 korisnika označava da im se sviđa
    Poništi
  12. proslijedio/la je Tweet
    10. pro 2019.
    Odgovor korisnicima i sljedećem broju korisnika:

    By the way.. ;)

    1 reply 5 proslijeđenih tweetova 17 korisnika označava da im se sviđa
    Poništi
  13. proslijedio/la je Tweet
    10. pro 2019.

    Embargo ends - is public: It allows to induce faults into computations in SGX, breaking crypto and corrupting memory. Great collaboration with Kit Murdock, , , , Frank Piessens!!

    7 replies 163 proslijeđena tweeta 241 korisnik označava da mu se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  14. 4. pro 2019.

    Actually...Is anyone else aware of a graceful UEFI to OS VT-d handoff mechanism being implemented in production code? It just occurred to me that even though we only advertised 2 world-firsts for firmware protection, this could be a 3rd thing?

    1 reply 5 proslijeđenih tweetova 8 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  15. 4. pro 2019.

    But yes, if a firmware with VT-d support doesn't know the OS is VT-d compatible (which it won't for everything other than macOS, because there's no speced out way to do this) it's necessarily to disable VT-d around ExitBootServices()

    1 reply 1 proslijeđeni tweet 3 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  16. 4. pro 2019.

    I made a slide about this for Ivan's BH talk, but I forgot it got removed due to lack of time, so I suppose I should comment. When Mac UEFI added VT-d in 2017, we considered this and added graceful handoff between UEFI VT-d and macOS VT-d for the next release (10.12.4 IIRC)

    The problem is that the firmware has no way of knowing whether the OS has IOMMU support. If it doesn't, and if the firmware has enabled the IOMMU, then when the OS tries to do DMA then it'll probably do so to an address that's blocked by the IOMMU and then everything explodes.
    Prikaži ovu nit
    10 proslijeđenih tweetova 39 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  17. 22. stu 2019.

    Moving from a monolithic ring 0, anyone-who-gets-in-wins memory space to the ring 0/ring 3 + virtual memory separation we depend on in all other contexts? Sure, why not

    1 reply 6 proslijeđenih tweetova 19 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  18. 22. stu 2019.

    Enabling VT-d before there's even RAM available? It's what you gotta do ¯\_(ツ)_/¯

    1 reply 6 proslijeđenih tweetova 24 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  19. 22. stu 2019.

    Or for the work and I did on bringing SecureBoot to the Mac

    1 reply 1 proslijeđeni tweet 7 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  20. 22. stu 2019.

    Check it out for more about the first-in-the-world work & Rafal Wojtczuk have done for UEFI DMA protection and UEFI sandboxing of PCIe Option ROMs

    Mac secure boot (with two world firsts: DMA defense from PCIe Bus 0, and the Option ROM sandbox), iOS kernel integrity, Pointer Auth Codes (PAC), APRR register, Page Protection Layer (PPL), and novel Find My crypto — all in my slides from Black Hat 2019!
    Prikaži ovu nit
    1 reply 24 proslijeđena tweeta 68 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi

@XenoKovah još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·